Networking Home Page Missouri State Home Page Networking Logo
Internet Firewall
Home ] Up ]
 

NOTICE:  New protections for all users via the Internet firewall on May 31st, 2006.

Update:  The new Internet firewall described below was activated today, May 31st, 2006 at 1:02 P.M.  Servers registered and approved prior to 5:00 p.m. yesterday will be allowed to receive traffic as requested unless otherwise conveyed.  All server registrations will be reviewed with the server owners over the summer and unnecessary rules or requests that don't adhere to security policies will be removed.

Computer Services Networking has multiple foreign machines that sit outside this firewall in MOREnet's address space that can be used to test access to University resources from "off-campus" locations.  Questions regarding testing or access issues should be directed to Mark Harsen or Josh Stuppy.
Summary:  On Wednesday May 31, 2006 Computer Services Networking Services unit will activate University-wide protections in the Internet firewall.  The firewall will protect all systems from unsolicited probes from the Internet thus greatly increasing the security of our systems.  However, servers offering information to the general public via the Internet must be registered before this date so that firewall rules can be created to allow for uninterrupted services. 
Users may need to utilize the University VPN Authentication Required offering to gain off-campus access to servers that offer content only to University affiliates.  Outgoing email restrictions will also be enforced to greatly reduce occurrences of Missouri State University being put on email black lists when virus-infected machines attempt to flood the Internet with email spam.
All clients will be able to retrieve information from the Internet as before without any special considerations.  Therefore, most users will obtain the extra protection without changing anything.  Server owners must consider the audience of their servers and plan accordingly.  Please read the full announcement and contact Mark Harsen or Josh Stuppy with questions and registrations.

 

April 20, 2006

Introduction

On May 31st, 2006 a new campus firewall will start guarding and protecting Missouri State University’s computer systems from Internet attacks.  This is between the Spring 2006 and Summer 2006 semesters.  This project was pre-approved by many entities, including the University President, when the University applied for Federal funding.  It will greatly enhance the security and reduce the vulnerability of all workstations and servers connected to the Missouri State University networks in Springfield, West Plains, Mt. Grove, Lebanon, and Branson.  The intent of this firewall is to help protect our networks and computer systems from the continuous probes and attacks from the Internet.  All possible steps will be taken to insure that the firewall implementation will provide this extra security without impeding the business of the University.  Here is an overview of the projected implementation:

Protection

All devices will be behind the firewall and receive protection.  The basic type of protection offered is invisibility and inaccessibility.  In other words, unless a machine is offering an approved service to the Internet, the machine cannot be seen nor can it be contacted directly from the Internet.  By default, however, all machines can solicit information from the Internet and receive answers just as before.  Therefore, most users won’t even notice a difference.

Audience

Many machines are classified as servers that provide services of differing types to various people.  For the purposes of this discussion, it is easiest to understand the implications of the firewall installation by classifying servers by the audience receiving those services.  Three basic classifications exist:

  1. Public – These services are available to the general public at large regardless of their affiliation with the University.  Prospective students, prospective employees, and people generally wanting to learn about the University fit here.
     
  2. University – Services to the University community are used only by people affiliated with the University such as students, staff, faculty, and special guests.  These guests could be emeritus, research partners, or even vendors in an official relationship with the University.
     
  3. Personal – If the service is not associated with University business in any way, the service is classified as personal.  A web site where personal blogs, vacation pictures, game hosting, or etc. fall in this category.  (Personal business endeavors over the State funded networks are not allowed.)

Definition of On-Campus

A user is considered “on-campus” and, therefore, behind the firewall if the user accesses Missouri State University’s networks via a wired jack, a wireless connection, a dialup modem, or over a VPN (Virtual Private Network) connection at any of the Springfield, West Plains, Mt. Grove, Lebanon, and Branson facilities.  Therefore off-campus access to all on-campus resources can occur without being affected by the firewall if a dialup modem or the VPN is utilized.  It is important to remember this, especially the VPN service, as VPN is the solution to many potential access problems from the Internet by University affiliates anywhere in the world.

Rules of Access

The rules of access are easily defined by audience:

  1. Public class servers will be allowed to receive unsolicited requests from the Internet, but only using the appropriate protocol.  Web servers will be allowed to receive web requests, for example, but would be denied FTP requests from outside.
     
  2. University class servers will be blocked by the firewall.  If affiliates of the University wish access to these “University only” resources from off-campus, then the VPN service should be utilized to create an encrypted secure tunnel through the firewall between University networks and the user anywhere in the world.
     
  3. Access to Personal class servers will not be granted through the firewall.  People on-campus (see definition above) will still retain access, but people not affiliated with the University will not be able to connect to personal servers from the Internet.  The solution to this problem is to move the personal service to public servers provided by Computer Services or by a departmental server.  Again, no holes through the firewall will be created for personal services.  Affiliates can still access the resource, however, via the VPN.

Electronic Mail

Thus far, this document outlines access from the Internet to campus resources.  However, special cases may exist where machines on campus may be prohibited from sending information to the Internet.  The only such identified case thus far is electronic mail.  Many viruses today send spam email to the Internet and often cause the University as a whole to be blacklisted.  This situation keeps legitimate email from being transferred between the University and possibly thousands of other sites.

Indeed, this very situation occurred in December 2005 through January 2006 where five virus infected machines sent spam email to so many Internet sites, that the University was blacklisted.  Important correspondence between Earthlink subscribers and University Administrators could not occur and many problems ensued.

To eliminate this problem, electronic mail to off-campus sites will only be allowed through registered and approved email servers.  Current thinking dictates that there will be one or two approved email servers only and all clients on campus must be configured to use these email servers if delivery off campus is desired.  Individual machines will not be allowed to send directly, but should easily be able to be configured to use an approved server to transmit email.

A side-effect of this change might be experienced by those who use a third party email service (Gmail, Earthlink, etc.) from inside the University’s network.  The web email interfaces to these services will remain unaffected, but users will no longer be allowed to send email through a direct connection to outside email servers using SMTP connections.  If SMTP is used, the email client must be configured to send outbound email through an approved, on-campus server.  Some other connection types, such as POP, will also not be affected.  Users may want to configure their email clients to periodically check for new incoming mail as well.

Timeline

Between now and May 30, information will be gathered regarding public services and the University population will be educated on access methods for University class services and on moving personal services to appropriate Computer Services or departmental servers.

Appropriate firewall configuration will be built to allow public services through the firewall and those rules will be activated between the Spring 2006 and Summer 2006 semesters the morning of May 31st.  Problems will be identified and corrected throughout the summer and temporary holes will be allowed to give users extra time to meet the new requirements.

For example, if someone is running a personal web and did not get their web site moved to a central or departmental server, a temporary hole through the firewall will be created upon request, but only for the summer.  Once the service has successfully been moved, the hole will be closed.  All remaining holes will be closed at the end of the summer semester even if the service has not been moved.

Assistance and Registration

The above outlines the current plans for firewall implementation.  However, assistance is needed in identifying Public services and protocols being used and in educating owners of University and Private services of the available options.  We therefore ask everyone to please help gather and disseminate the appropriate information.  Assistance is also requested from everyone in identifying items or situations which may not have been covered by this plan so that the plan may be updated.  Our goal is to retain flexibility and find ways to make our networks more secure while still providing all required services to all users.  Please see “Contacts” below.

If anyone is aware of a situation that will be affected by this campus firewall initiative, please gather appropriate information or put the owner of the service in contact with Computer Services Networking Services unit.  All services need not be registered.  If, for example, a University service is identified, but the users are aware of and satisfied with the VPN offering for off-campus access, no registration is required.  Users needing special consideration or assistance are the only ones that need to register or that need to contact Computer Services Networking.  The required information includes the following which Networking will assist in gathering once contact is made:

Service Owner The name of the person responsible for the indicated service
Contact Information     Phone number, pager, cell phone, and/or etc. of the person
Service Class Public, University, or Private
Audience General audience and justification
Server Name The name of each server needing special consideration
Server IP The IP address of the server needing special consideration
Service Offered The specific service offered.  For example, web server implies only port 80, but are others needed?  Are the ports TCP or UDP based?
Other Other special information or issues that have not come up or adequately addressed.

Approval

Finally, there is a committee that will approve requests and classifications of various services.  Please note that this is a security initiative intended to protect our users, not to penalize them.  Customer service is the top priority within the limits of security requirements and all reasonable requests should be fulfilled easily.  Keep in mind, however, that services should originate from hardened servers, not from typical end-user desktop machines. 

Testing

Computer Services Networking has temporarily procured a foreign Internet connection in Blair House that can be used for pre and post production testing.  Appropriate firewall rules can be installed on a test basis applying only to a laptop connected outside of Missouri State University.  This machine and evaluation rules can then be used to test applications prior, during, or after the firewall goes into production.  Server owners are highly encouraged to perform pre-testing.  Please contact Mark Harsen or Josh Stuppy to make arrangements.

Contacts

Please direct gathered information, questions, testing requests, or un-addressed situations to Mark Harsen at extension 6-4392 or via email to Mark.Harsen@MissouriState.Edu or Josh Stuppy at extension 6-6449 or via email to JoshStuppy@MissouriState.Edu.  Registration web pages are being developed to assist, but please use phone or email at this time.

  
URL:
Copyright © 2000 Board of Governors, Missouri State University
Maintained by Computer Services Networking   Last Modified: October 08, 2007